This article will give you an overview on how I reverse engineered the encryption (well, obfuscation really but we will refer to it is encryption for the remainder of this article) routine of WINLDRA.EXE, an unknown binary that was used in a large scale identity theft ring. This is a beginner/intermediate level article and assumes only that the reader has an understanding of basic x86 assembly and how operations such as AND, OR, SHL and SAR work. I will walk the reader through the operations, but it will help if you understand what they are doing.

It was a well written article, that goes into sufficient detail about what you did. One thing that bugged me was that you refer to it as encryption, but I think encoding would have been a better word. Also it appears you spent your time reversing a base64 implementation. You may have been able to benefit by keeping a set of such implementations around for testing, and then you could have simply scanned the executable for crypto signatures. You probably would have had a hit for a base64 table at which time you could check the address and see where it's referenced then possibly toss some of it's output through your known base64 code. Of course keeping all of that information around is really only useful if you reverse a lot of things that may end up with some cryptography involved. There's a lot of information that can be gathered at the 50,000 foot level before you go as deep into the code as you did. Hope you run into some more interesting reversing challenges to share.

Actually, I looked at several malicious applications last year to see if their B64 implementations were similar, dissimilar, and or off-the-shelf. In all cases, the implementations did not appear off-the-shelf, and there was too much variance to make a direct connection. My hypothesis was that malware that might have been previously been thought of as unrelated might have reused B64 code. In the specific examples I had looked at, I did not find evidence to support my hypothesis. Nevertheless, I haven't abandoned the likelihood that my hypothesis can be correct.